7 February 2019

odd signals picked-up using the Arctic KiwiSDR

7600 Hz wideband signals from (only!) Kiwi ArcticSDR and using single tone QAM-64 modulation at a symbol rate of 7200Bd. The signals seem to have specular positions of a "supposed" reference/pilot tone. Most likely, the signals "leak" out of wired high-voltage lines (PLC) running close the Bjarne's KiwiSDR.


31 January 2019

8-ary constellation bursts at 12800bps data rate (3)

This is a follow-up of the posts about the "clusters" of S4539 12800bps bursts, all posts including this one are grouped here.
Since a couple of days it's possible to hear both the peers, don't know if it's due to new test sites or increased powers but previously the "called" station was not heard (or maybe it did not even exist). As you see, the "called" listens on f2 while it simultaneously replies on f1 (the same for f2/f3 and in all the six clusters) as well as the "caller" station puts its call on f2 while it simultaneously listens on f1 (Fig. 1); the interval between the call and the reply is about 319 ms. Maybe they use staring and synched SDRs?

Fig. 1
This simultaneity is also noted between the lower frequency of a cluster and the higher frequency of the preceding one, as shown in Fig. 2. Particularly, Figure 3 shows the timings between the last and the first cluster (the different signal strengths in Fig. 3 depend on the different locations of the two used KiwiSDRs).

Fig. 2 - timings between two consecutive clusters
Fig. 3 - timings between the last and the first cluster
The raw demodulation exhibits strong 7680-bit period that make 1280 QAM64 symbols (Fig. 4).

Fig. 4

23 January 2019

wideband operations on 4950 KHz, new Harris wideband HF waveforms

since few weeks me and my friend and colleague ANgazu are studying interesting wideband waveforms family spotted on 4950 KHz (central frequency), just in the middle of the 60 mt Broadcast band, these transmissions have been also reported here by our friend KarapuZ from radioscanner.  Monitoring was done thanks the KiwiSDR owned by WA2ZKD that can provide up to 20KHz IQ band http://rx.jimlill.com:8073/.

As shown in Fig. 1, they use Harris WB-ALE paradigm for call and link negotiation:
- STANAG-4538 FLSU initial call for link setup
- spectrum sensing to measure interference within the selected wideband channel
- new burst handshake exchanges spectrum sense measurements
- data exchange
- STANAG-4538 FLSU for link term

Fig. 1
The Harris wideband ALE approach and the 3G extensions for wideband have been previously discussed in this post.  

For what concerns tha data waveforms, we saw bandwiths from 3-24 Khz and modulations from PSK-8 to QAM-64 with a data rate from 75 to 120,000 bps.
Each transmission begins with a transmit level control (TLC) block to allow radio transmit gain control (TGC), transmitter automatic level control (ALC), and receiver automatic gain control (AGC) loops to settle before the actual preamble is sent/received. A variable length preamble for reliable synchronization and autobauding follows the TLC section and it's followed by ariable length frames of alternating data (unknown) and mini-probes (known) symbols: times vary depending on the combinations of speed and modulation.
Although the characteristics such as BWs, modulations and speeds are the same as those indicated in Appendix D of MIL-STD 188-110D (WBHF), these adaptive waveforms definitely do not belong to that standard. Indeed, as shown in the following figures (2-5), the waveforms exhibit a common structure consisting of a super frame which is formed of 8 frames probably related to the 8 different allowable bandwidths: a similar structure and the duration of the frames (i.e., the number of K and U symbols) are quite different from what is stated in the Appendix D.

Fig. 2 - 4800Bd/6KHz waveform
Fig. 3 - 7200Bd/9KHz waveform
Fig. 4 - 9600Bd/12KHz waveform
Fig. 5 - 16800Bd/18KHz waveform

The frames structures have been verified also by analyzing some streams after the demodulation of the signals: in figure 6 the result of the demodulation of a 9600Bd/12KHz chunk (in this case using PSK-8 modulation):

Fig. 6
When measuring  the symbole rate using the quadrature detector, an interesting pattern shows up: a repetitive 8 blocks group which are generated by miniprobes. Up to date, we know the "frequency" in these blocks is different for every speed, starting in lower freq and going upwards. In some modes a mirror image can be seen as in Fig. 7. This is an odd feature since it looks like miniprobes are not phase modulated as data are.

Fig. 7
The 8 different minprobes repeat in a particular series and are complicated to study, their structure point to a sequence (maybe using Walsh modulation?) that repeats 4 times: this pattern seems to be the same in all waveforms varying frequency/duration.
Fig. 8
We have other examples of such miniprobes but we prefer to postpone to a next post, if possible with more precise details. For this purpose, ANgazu and I would like to have some other better recordings (i.e., with IQ band > 20KHz) from friends in US so that we can gather more informations. Thanks!


9 January 2019

unid 1200Bd (G)FSK bursts recorded in Japan

This signal was recorded at different periods using some the KiwiSDRs located in Japan ( http://kiwisdr-jp7fso.ddns.net:8073), it was observed, at least, in three frequencies: 4765, 4626 and 4584 KHz. During night-time good results are also obtained with the KiwiSDR at Irkutsk (Russia), so the origin of the signal seems to be Japan or surroundings. 
My spanish friends ANgazu and Rapidbit (from radiofrecuencias group) did a brief analysis measuring the speed (1200Bd) and the shift between tones (825-890 KHz) and suggesting the GFSK mode (Fig. 1). On my behalf, I veried their measurements and verified that the bursts are 26 secs spaced and carry the same (encrypted?) text sent in async 8N1 mode (Fig. 2), although there are some difference among old recordings and new ones. The stream obtained after removal the start/stop bits does not offer useful information (encryption? not-standard 8-bit alphabet?), same results after descrambled the stream using the polynomial x^3+x^2+x+1. 

Fig. 1
Fig. 2
Maybe some kind of beacon? We thinked that a reference could help others to record and study the signal.

1 January 2019

last logs of 2018

04833.5: ---: Unid, prob. UK MoD 2114 USB MIL 188-110A serial tone waveform, testing XMPP multi-user chat over HF using STANAG-5066 RCOP protocol. Also logged on 4381.0 Khz. (07Dec18) (AAI)
05290.0: TN5: "ZaSKIS" Base for Stationary Communication and Information Systems SVK-Mil Trencin, SVK 1337 USB MIL 188-141A 2G-ALE, handshake PO2 "VKPRESOV" Presov, STANAG-4285 waveform, FTP transfer of GZIP copressed email & files via STANAG 5066 using HBFTP client (12Dec18) (AAI)
05390.8: HWK01: Swedish Mil, S 1334 USB 3G-HF 1-way FLSU, circuit service mode using MIL 188-110A serial tone waveform, sending wrapped data via STANAG-5066 UDOP client (20Dec18) (AAI)
05787.0: CAMP: Unid 1444 USB MIL 188-141A 2G-ALE, calling all stations, MIL 188-110A serial tone waveform, 5x128-bit MI (10Dec18) (AAI)
06395.0: BS3101: Unid 1427 USB MIL 188-141 2G-ALE, handshake BS3501, no continuation (21Nov18) (AAI)
06796.0: TZSO4: Unid 1003 USB MIL 188-141 2G-ALE, sounding (10Nov18) (AAI)
07572.0: PEGASO: Spanish-AF EVA (Escuadrón Vigilancia Aérea) Torrejón de Ardoz, S 0845 USB aily radio-checks with EVA's stations (KANSAS, ORION, EMBARGO, DAGON, PRIMUS,POLAR,...) (26Nov18) (AAI)
07600.0: FN01: Algerian-Mil, ALG 0834 USB MIL 188-141 2G-ALE, handshake FN02, MIL 188-110A serial tone waveform (26Nov18) (AAI)
07641.0: TXFA5: Guardia Cuvil, E 1057 USB MIL 188-141 2G-ALE, calling TWLL1 (also heard callings to TWLN1, TWVB1, TWVO1) (20Dec18) (AAI)
07840.0: SWA: Unid 0949 USB MIL 188-141 2G-ALE, calling SRX (30Nov18) (AAI)
07840.0: SWA: Unid 0954 USB MIL 188-141 2G-ALE, calling HY8 (30Nov18) (AAI)
07840.0: SWA: Unid 1001 USB MIL 188-141 2G-ALE, calling 8CQ (30Nov18) (AAI)
07841.0: DA09: Unid 0745 USB MIL 188-141 2G-ALE calling DA01 (02Nov18) (AAI)
07922.0: ---: Unid 0944 USB STANAG-4286 600bps/L, sending KG-84 encripted data (16Nov18) (AAI)
07975.0: ---: Unid 0840 (CF) MFSK-11 125Bd/250 792ms ACF, lasting ~47s. Also heard at 0915 (07Nov18) (AAI)
08086.0: JU10: Algerian-Mil, ALG 1413 USB MIL 188-141 2G-ALE, calling NX1 (17Dec18) (AAI)
08146.0: AGH: Iraqi Emergency Response Forces, IRQ  1431 USB MIL 188-141 2G-ALE sounding (08Nov18) (AAI)
08167.0: ---: Unid 1230 USB STANAG-4285 600bps/S, async 5N1.5 (ITA2) transfer, encrypted data (18Dec18) (AAI)
08170.0: ---: UK DHFCS, Cyprus 1730 USB STANAG-4285 2400bps/L bursts, 1536-bit TDM protocol (15Dec18) (AAI)
08327.0: ---: Unid 0852 USB 3G-HF 2-way FLSU handshake, HDL+ transfer (26Nov18) (AAI)
08408.0: Unid 0939 (CF) FSK 75Bd/200 continuous encrypted bcast, TDoA runs point to south-west Med sea. Also heard on 10182.0 (CF) (02Nov18) (AAI)
08630.0: HY8: Unid (Algerian-Af?) 0930 USB MIL 188-141A 2G-ALE calling SRB (12Dec18) (AAI)
08770.0: Unid 1500 USB STANAG-4197 ANDVT system (02Nov18) (AAI)
09000.0: KML: Unid 0856 USB MIL 188-141 2G-ALE, calling MAN (03Dec18) (AAI)
09000.0: MAN: Unid 0859 USB MIL 188-141 2G-ALE, calling KML (03Dec18) (AAI)
09019.0: XSS: DHFCS, UK 1509 USB MIL 188-141 2G-ALE sending wx METARs & TAFs via AMD to UKE303 AWACS for RAF airports Waddington (EGXW) e Brize Norton (EGVN)(08Nov18) (AAI)
09065.0: Russian /Mil/Gov 0832 (CF) FSK 100Bd/500, T-207 encryption (02Nov18) (AAI)
09105.0: ---: Unid (US-Mil?) 1240 USB MIL 188-110A serial, IP-over-HF via STANAG-5066 RCOP, 1380 bytes IP packets from to ESP (IPSec) secure protocol used. STANAG-5066 Addresses ( belong to US-DoD (07Nov18) (AAI)
09187.0: ZJ1: Swiss Army, CH 1357 USB MIL 188-141A 2G-ALE handshake ZA1 using Linking Protection, MIL 188-110A serial tone waveform, sending email via FED-1052 App.B, encrypted ASCII-7 data using CFB64 "IDEA" algorithm (12Nov18) (AAI)
09299.0: DA10: Unid 1151 USB MIL 188-141 2G-ALE calling DA01 (08Nov18) (AAI)
09920.0: DA09: Unid 1400 USB MIL 188-141 2G-ALE calling DA01 (05Nov18) (AAI)
10790.0: ---: Russian Mil/Gov 1110 USB CIS-79 "TANDEME", OFDM 79-tone QAM-64 30.5Bd 37.5Hz, PSK-2 special/control symbol each 3 tones (11Dec18) (AAI)
11029.0: DA03: Unid 1100 USB MIL 188-141 2G-ALE calling DA01 (03Nov18) (AAI)
11371.4: HBLZDRD1: Roumenian-Mil, ROU 0801 USB MIL 188-141 2G-ALE calling HFJCDRD1 (02Nov18) (AAI)
11371.4: HBLZDRzZM: Roumenian-Mil, ROU 0810 USB MIL 188-141 2G-ALE calling HFJCDRzZM (02Nov18) (AAI)
12062.0: HL2: Polish-Mil, POL 1050 USB MIL 188-141 2G-ALE, calling KW7 (17Nov18) (AAI)
14606.0: KA2: (KALI12) Polish KFOR unit, KSV 0915 USB MIL 188-141 2G-ALE handshake PL4 (PLATER04), MIL 188-110A serial tone waveform, sending email via STANAG-5066 using HBFTP client, compressed data using GZIP (12Nov18) (AAI)
14606.0: PL4: (PLATER04) Polish KFOR unit, KSV 1118 USB MIL 188-141 2G-ALE handshake OD8 (ODRYNA08), MIL 188-110A serial tone waveform, sending email via STANAG-5066 using HBFTP client, compressed data using GZIP (10Nov18) (AAI)

29 December 2018

9MR - Malaysian Navy, uncommon FSK shift and ITA2 framing

(a joint analysis by me, ANgazu, Cryptomatser)



is the Id & "RY/SG" test tape transmitted by 9MR Royal Malaysian Navy (RMN) [1], picked up using the  VR3BG KiwiSDR located in Hong Kong and tuned on 8461.1 KHz and 6483.1 (CF).
The signals exhibit two curious features, at least in the heard test trasmissions: the first consists of the used 50Bd async FSK waveform with the non-standard and quite uncommon 900Hz shift value (Fig. 1).

Fig. 1 - 900Hz shift
The second feature is the framing which is used during the test operations: as you may see in Figs. 2 and 3, they use ITA2 code (5x28) with alternating framings 5N1/5N2, i.e., a character sent with 1 stop bit followed by a character sent with 2 stop bits:

This odd system causes the 15-bit period visible either in the raster of SA either in the bitstream (the latter reshaped to 30-bit in Figure 2). When a block ends, it possibly uses a special character or new line that causes te one bit shift to the left.

Fig. 2
Fig. 3
According to my friend Cryptomaster, we face a 5N1.5 framing and the synchronous equipment compensates for this disadvantage, resulting in alternation of stops with a length of 2 and 1 bit. About the unusual frequency manipulator, this is a drawback of the frequency manipulation shaper: when changing its polarity, the unfiltered classical transient process is visible (Fig. 4)
It could be a good reason, anyway after removing/cutting the upper and lower extra-frequencies, the signal still exhibits a 900Hz wide spectrum (Fig. 5)

Fig. 5

By the way, our TDoA direction findings (6483.1 KHz signal) point to Tanjung Gelang, site of RMN's Fleet HQ of the Naval Region I.

As a final note, the analysis of the 6483.1 FSK  transmission suggests that there maybe some flaw somewhere.

https://yadi.sk/d/d15nXWys6iSuIg (6483.1 KHz)
https://yadi.sk/d/2gmoADztQTwT0w (8461.1 KHz)

22 December 2018

some recent (unid) catches in the 8 MHz band

STANAG-4285 async operations

Transmission heard on 8167.0 KHz/usb consisting of S4285 600bps/L transfer. After demodulation, the bitstream reveals ITA2 5N1.5 async operation with encrypted data and looks like the format seen here which is possibly used by Turkish-Mil.


MIL 188-110A bursts

Since several days I've been listening to 188-110A Serial Tone bursts on 8058.0 KHz/usb, 600bps short interleaving is the used mode. Burst last 1200ms and have a spacing of 500ms.  The long (hours) sessions continuously send the same 240-bit pattern. 

Fig. 1 - 240 bit pattern (reshaped to bytes)
TDoA runs point to Spain. 

Fig. 2


MFSK-4 100Bd/400

short transmission heard on 8180.0 KHz/usb, unfortunatelly I went very late on it and I have not had the chance to listen to it anymore. My friend KarapuZ suggests Russian source.


15 December 2018

STANAG-5030/MIL-188-140 VLF/LF multichannel broadcast to submarines (tentative)

The Navy ashore VLF/LF transmitter facilities transmit submarine command and control broadcast which is the backbone of the submarine broadcast system. The VLF/LF radio broadcast provides robustness, availability, global coverage, and has seawater penetrating properties. The 200Hz assigned bandwidth for VLF/LF broadcast and the low efficiency (and narrow bandwidth) of the aerials are limiting factors, but the use of Minimum Shift Keying (MSK), a form of Quadrature Phase shift Keying, can allow optimum use of this narrow bandwidth [1]. 
VLF/LF broadcasts to submarines are STANAG-5030 compliant but unfortunately it's a restricted document so no information is publicy available. Moreover, the new STANAG-4724 is currently being ratified by NATO member states as next evolution.  However, googling the web it's possible to retrieve (few) manufacturers brochures of VLF/LF modulators/demodulators, as the one shown in Fig. 1, and get some informations. These equipments can provide TDM multi-channel broadcast (up to four channels, all 50 baud) and mainly use modulation techiniques as MSK (MSK2 2x50 Baud channels and MSK4 4x50 Baud channels), OQPSK and OOK "on-off keying" (the latter usually associated with the Morse Code).

Fig. 1
Reference MSK modulation indicates zero-crossing transitions (eg +1/+1 to -1/-1 and viceversa, +1/-1 to -1/+1 and viceversa) cannot be allowed if phase discontinuity is to be preserved.

I analyzed some easily receivable VLF stations (DHO38, FTA, FUE, GQD, ICV, JXN, NSY, SXA, ...) and found that the phase-plane of some signals exhibits the expected transitions while others signals show odd transitions. The answer is to be found in the harmonics spectrum of the signals (Fig. 2): when the carrier is missing  the PLL algorithm locks onto one of the two spectral lines and causes the odd transitions shown in the phase-plane. The presence/absence of the carrier also makes me think of different solutions adopted by manufacturers since MSK should be coherently detected like OQPSK (that implies acquiring the carrier!) or non-coherently detected like FSK. 

Fig. 2 - carrier is missing in signals like FUE
My friend ANgazu pointed out the use of different filtering (Fig. 3). If a Gaussian filter with a Bt of 0.8 or less is in use, as in FUE, the side lobes are attenuated and the modulation is GMSK. NSY has many side lobes so, most probably, no Gaussian filter is in use and modulation is pure MSK. A special case is JXN that uses a cosine filter.

Fig. 3 - differing filterings
That being said, some equalization/correction is needed to emerge the carrier in the midlle of the two tones as shown in Figure 4:

Fig. 4 - FUE constellation after and before equalization
However (G)MSK doesn't seem to be the sole modulation used: using Diff=1 in the phase-plane it turns out that OQPSK-like modulations are used, as in case of FTA and DHO38 (Fig. 5)

Fig. 5
Indeed, MSK is a special case of Continuous-Phase Frequency Shift Keying (CPFSK) which is a special case of a general class of modulation schemes known as Continuous-Phase Modulation (CPM). It is worth noting that CPFSK is a non-linear modulation and hence by extension MSK is a non-linear modulation as well. Nevertheless, it can also be cast as a linear modulation scheme, namely Offset Quadrature Phase Shift Keying (OQPSK), which is a special case of Phase Shift Keying (PSK)... identifying the used modulation may become a nightmare!

data format
Traffic is encrypted and each channel may convey four different types of broadcasts, reference Figure 1:

VALLOR: a VLF/LF single-channel 50 Bd submarine broadcast operating as a backup to the VERDIN (1) system and using KW-46 encryption system (VALLOR is the codename for KW-46 system);
JASON: it's probably a proper feature of the shown product depicted (maybe a codename of an encryption system?);
CLEAR: most likely clear-text traffic (no encryption is used);
ECF: (Empty Channel Filler), in conditions where no messages are available for a transmission channel, Empty Channel Filler data is generated automatically at the transmitter equipment. 

Data are arrangend in a stream incorporating in a regular manner a symbol dedicated to synchronization and placed every r data symbols, i.e. in the same format defined by STANAG-5065 in which frames are delimited by the pseudo-random sequence generated by the polynomial x^31+x^3+1 (aka "Fibonacci bits"). These formats may also be related to the patent WO2009071589A2 [2]. Error Correction And Detection (EDAC) should be performed using Wagner coding.
Curiously, I found that GQD uses a 28-bit format and a pseudo-random sequence  generated by the polynomial x^32+x^31+x^4+x^3+x+1 ...but I have to say that in this case I used an FSK demodulator.

Fig. 6

transmit system
Figures 7a and 7b show simplified block diagram of the VERDIN (1) VLF/LF transmit system and a real-world equipment used by US-Ny. Shore-to-Sub broadcast is a continuous transmission sequence of prioritized messages which normally lasts two hours. It is generated by ISABPS (Integrated Submarine Automated Broadcast Processor System) and sent to the transmit terminal which is used to multiplex, encrypt, encode, and modulate up to four 50 bps submarine broadcast channels into VLF/LF radio frequency signals which is amplified/radiated by the VLF/LF transmitter antenna. [3]

Fig. 7a - VERDIN system
Fig. 7b - a VERDIN receiver

(to be continued)

(1) VERDIN is a digital data, multichannel communications system operating in the VLF range from shore to deployed submarines. VERDIN permits transmission of up to four 50 Bd channels from an individual transmitter using time division multiplexing.The system is normally operated in a four-channel mode.

12 December 2018

XMPP over HF radio using STANAG-5066


Interesting transmissions spotted on 4381.0 KHz and 4833.5 KHz (all usb) consisting of MIL 188-110A Serial HF waveform (fixed 600bps/S) and 6-bit code clear text (6x28) & STANAG-5066 as bearer for XMPP Multi-User Chat (MUC)  messages.
XMPP, the Internet Standard eXtensible Messaging and Presence Protocol, is the open standard for Instant Messaging (IM), Group Chat and Presence services. XMPP is widely used for military deployments, where operation over constrained and degraded networks is often essential, particularly for tactical operation. 
Multi-User Chat (MUC) is a central service for military communication. If data is being provided, it makes sense to share it so that all interested parties can see it. For example, it will enable external strategists or lawyers to observe communication in real time, and provide input as appropriate. It often makes sense to share information in the field, for example a group of ships jointly working out who will target what and how. MUC is an important operational capability. 
In XMPP a client connects locally to its server, and then there are direct server to server connections (S2S) to support communication with clients on other servers. The mapping of XEP-0361 (Zero Handshake Server to Server Protocol) onto STANAG-5066 is standardized in "XEP-0365: Server to Server communication over STANAG-5066 ARQ”. XEP-0365 is mapped onto the S5066 SIS and transferred using RCOP protocol.
The 6-bit text and S5066 bitstream (Fig. 1) is obtained after demodulating the 188-110A Serial waveform:
Fig. 1
S5066 peers have the addresses and (odd) in 4381.0 KHz channel; the addresses and (even) are used in the 4833.5 KHz channel. These are probably "exercise" addresses since the block 10.50 is allocated to Uganda. 
These transmissions have been monitored for about one day so I could collect hundreds of messages, only some of them are shown below as examples: you can see groupchat messages, Instant Messaging (private messages) and Presence/IQ messages. My friend and colleague Guido @decodesignals logged same transmissions (and same addresses) on 4613.0 Hz, in his catches the S4539 4800bps is used as the HF waveform.

    (a3d5bb51-70c3-4152-9a29-ab7cddbb47a3; 20181207T224101.034169)
    Test Message H - Private Message From GROUND Latency Acct
    <securitylabel xmlns="urn:xmpp:sec-label:0">
    <displaymarking bgcolor="green">UNCLASSIFIED</displaymarking>

    type='groupchat' id='fmucinte54838a0b2804718'>
    <fmuc xmlns='http://isode.com/protocol/fmuc'
    (29f06ec4-a4a9-4849-bd46-42c54efa42ea; 20181207T224452.309137)
    Test Message T - MUC From GROUND Latency Acct
    <securitylabel xmlns="urn:xmpp:sec-label:0">
    <displaymarking bgcolor="green">UNCLASSIFIED</displaymarking>

    to='mission-one@chat.p8-one.net/Supervisor Air'
    type='get' id='d98686c2-d66f-4bdc-9b4e-ceb9911c834e'>
    <query node='http://swift.im#3ScHZH4hKmksks0e7RG8B4cjaT8='

    <fmuc xmlns='http://isode.com/protocol/fmuc'
    <x xmlns='http://jabber.org/protocol/muc'/>

    <fmuc xmlns='http://isode.com/protocol/fmuc'
    <x xmlns='http://jabber.org/protocol/muc'/>

A bit of intelligence gathering can be done by the reading of the messages and from TDoA.
Direction finding  is not easy since the transmissions originate from two different sites, however the results obtained indicate UK as the area of operations (Fig. 2): maybe UK MoD?
Fig. 2 - TDoA result
The namespace attribute fmuc xmlns='http://isode.com/protocol/fmuc can be a clue of the use of the M-Link software developed by Isode for XMPP [1]. By the way, reading some Isode documentation available in the web you can see odd 10.x.y.w S5066 addresses like the ones used in the heard transmissions (Fig. 3)

Fig. 3 - from XMPP5066EVAL.pdf by Isode
Servers names and nodes names as: mission-one@chat.ground.net/LATENCY_GROUND and mission-one@chat.ground.net/LATENCY_AIR, as well as the Test Message format suggest a test phase aimed to measure the latency of air and ground links. Note also that the tests are performed using different HF waveforms: MIL 188-110A Serial 600bps and STANAG-4539 4800bps.

That being said, probaby these are UK MoD test transmissions concerning (Isode) XMPP over HF radio but it's only my guess. Ropey @Topol_MSS27 suggests that "maybe P8 (chat.p8-one.net) is a clue and references new ops for upcoming P-8A's due to join RAF from Nov next year" [2].

12 December update
My friend Martin G8JNJ, owner of the http://southwest.ddns.net:8073/ KiwiSDR, reports he heard synch'ed transmissions on 4381.0 KHz and 5505.0 KHz too, all usb. His TDoA runs point to Inskip (Former RNAS Inskip), a transmitting site of UK DHFCS located in Lancashire, North England: it confirms my TDoA and is a further clue in favor of RAF operations.

(a lot of documentation is publicy available in the web about ISODE XMPP, google is your friend) 
[2] https://www.raf.mod.uk/aircraft/p-8a/